Category Started On Completed On Duration Cuckoo Version
FILE 2016-11-03 00:31:45.938764 2016-11-03 00:33:59.660468 133 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win-xp-sp3 win-xp-sp3 VirtualBox 2016-11-03 00:31:46 2016-11-03 00:33:59

File Details

File name APT_ATT11990.pdf
File size 438220 bytes
File type PDF document, version 1.7
CRC32 BE9F717B
MD5 452703b9292a7a5d45eb224c622d32cf
SHA1 2786d5ac6a4d5e378c0086acb7a8e19a79692cb2
SHA256 796f0f938e60fc22189c6453db86d41b5cb0f2a84be0ff591584267b21af8dfd
SHA512 f6bd5fdbc07b3837cb5838203a63d3d00923bcdf7c42cdf3ff2038d403db5276c7a222c624f1c5a486e201ca1c0a52880f125adf220fae6f5d129647266365e9
Ssdeep 6144:TFBOyA3SpOYOlBvgxM0o5nA2+fIKpsMbq3PPW7Qk9gD/sg3LLTPQJhWZDw7BXJBU:/s/YOf6Ho5HcIIsMYKgTxf0iKxriOH0
PEiD None matched
Yara None matched
VirusTotal Permalink
VirusTotal Scan Date: 2014-11-09 14:48:41
Detection Rate: 37/54 (Expand)

Signatures

No signatures matched

Screenshots

Static Analysis

Strings

Dropped Files

220d543c6f5e2b14_shareddataevents

f4d656ef5c95da9e_adobearm.log

4d7f480cf854fe56_acecache10.lst

a479dd2807cb9817_ArmUI.ini

dd1729eff12c228c_d3d9caps.dat

2a2e0ba33d793244_usercache.bin

70f141a558422e95_a9r885d.tmp

Network Analysis

Nothing to display.

Behavior Summary

File-Read
  • C:\Documents and Settings\ardi\Local Settings\Temp\ArmUI.ini
  • \\?\PIPE\lsarpc
File-Written
  • C:\Documents and Settings\ardi\Local Settings\Temp\ArmUI.ini
  • \\?\pipe\32B6B37A-4A7D-4e00-95F2-6F0BF3DE3E009524054672thsnYaVieBoda
  • C:\Documents and Settings\ardi\Local Settings\Temp\AdobeARM.log
  • \\?\PIPE\lsarpc
  • C:\WINDOWS\system32\d3d9caps.dat
  • C:\Documents and Settings\ardi\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
  • C:\Documents and Settings\ardi\Application Data\Adobe\Acrobat\9.0\UserCache.bin
  • \\?\PIPE\lsarpc
  • C:\Documents and Settings\ardi\Local Settings\Application Data\Adobe\Color\ACECache10.lst
  • C:\Documents and Settings\ardi\Local Settings\Temp\A9R885D.tmp
  • C:\Documents and Settings\ardi\Application Data\Adobe\Acrobat\9.0\SharedDataEvents
  • C:\WINDOWS\system32\d3d9caps.tmp
File-Deleted
  • C:\Documents and Settings\ardi\Local Settings\Temp\ArmUI.ini
File-Opened
  • C:\Documents and Settings\ardi\Local Settings\Temp\ArmUI.ini
  • \\?\pipe\32B6B37A-4A7D-4e00-95F2-6F0BF3DE3E009524054672thsnYaVieBoda
  • C:\Documents and Settings\ardi\Local Settings\Temp\AdobeARM.log
  • C:\
  • \\?\PIPE\lsarpc
  • C:\Documents and Settings\All Users\Application Data\Adobe\Acrobat\9.0\
  • C:\
  • C:\Documents and Settings\ardi\Application Data\
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf
  • C:\Documents and Settings\ardi\Application Data\Adobe\Flash Player\AssetCache\
  • C:\Program Files\Adobe\Reader 9.0\Resource\
  • C:\Program Files\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf
  • C:\WINDOWS\Web\wallpaper\Bliss.bmp
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\ZX______.PFB
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\SY______.PFB
  • C:\WINDOWS\system32\wininet.dll
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf
  • C:\WINDOWS\system32\urlmon.dll
  • C:\Program Files\Adobe\Reader 9.0\Resource\CMap\
  • C:\WINDOWS\system32\d3d9caps.tmp
  • C:\Documents and Settings\ardi\Application Data\Adobe\Acrobat\9.0\
  • C:\Documents and Settings\ardi\Local Settings\Temp\A9R885D.tmp
  • C:\Program Files\
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf
  • C:\Documents and Settings\ardi\Application Data\Adobe\Acrobat\9.0\Forms\
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search5.api
  • C:\Documents and Settings\ardi\Application Data\Adobe\Flash Player\
  • C:\WINDOWS\system32\VBoxDisp.dll
  • C:\Documents and Settings\All Users\Application Data\Adobe\Acrobat\9.0\Replicate\
  • C:\WINDOWS\system32\Macromed\Flash\
  • C:\WINDOWS\system32\wdmaud.drv
  • C:\WINDOWS\system32\spool\drivers\color\is330.icm
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Updater.api
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Search.api
  • C:\WINDOWS\system32\rpcss.dll
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm
  • C:\Documents and Settings\ardi\Application Data\Adobe\Acrobat\
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\CourierStd.otf
  • C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.sig
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\PFM\
  • C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.dll
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf
  • C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api
  • C:\Program Files\Common Files\Adobe\
  • C:\Documents and Settings\ardi\Application Data\desktop.ini
  • C:\Program Files\Adobe\Reader 9.0\Reader\JavaScripts\
  • C:\Documents and Settings\ardi\Local Settings\Application Data\
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\ZY______.PFB
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\IA32.api
  • C:\Documents and Settings\ardi\Application Data\Adobe\Acrobat\9.0\Collab\
  • C:\Program Files\Common Files\Adobe\ARM\1.0\
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\HLS.api
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api
  • C:\Documents and Settings\ardi\Local Settings\Temp\
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\
  • C:\WINDOWS\system32
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\reflow.api
  • C:\Documents and Settings\ardi\Local Settings\Temp\APT_ATT11990.pdf
  • C:\Program Files\Adobe\Reader 9.0\Resource\CMap
  • C:\WINDOWS\system32\rsaenh.dll
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
  • C:\WINDOWS\system32\spool\drivers\color\kodak_dc.icm
  • C:\Program Files\Common Files\
  • C:\Program Files\Adobe\Reader 9.0\Reader\JavaScripts\JSByteCodeWin.bin
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DVA.api
  • C:\Documents and Settings\ardi\Application Data\Adobe\Acrobat\9.0\SharedDataEvents
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf
  • C:\Documents and Settings\ardi\
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Annots.api
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\
  • C:\Documents and Settings\ardi\Local Settings\Temp
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font
  • C:\WINDOWS\system32\spool\drivers\color\sRGB Color Space Profile.icm
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins3d\
  • C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-V
  • C:\WINDOWS\system32\spool\drivers\color\
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api
  • \\?\PIPE\lsarpc
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api
  • C:\WINDOWS\system32\d3d9caps.dat
  • C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-H
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\eBook.api
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadCurrency-Regular.otf
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api
  • C:\Documents and Settings\
  • C:\Documents and Settings\ardi\Application Data\Adobe\
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\EScript.api
  • C:\Documents and Settings\ardi\Local Settings\
  • C:\Program Files\Adobe\Reader 9.0\Reader\
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf
  • C:\Documents and Settings\ardi\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api
  • C:\Program Files\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf
  • C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\weblink.api
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1645522239-1935655697-854245398-1003\Installer\UpgradeCodes\68AB67CA000000007716E7A854000000
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\68AB67CA7DA73301B7449A0500000010
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\PagedBuffers
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockdown
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdobeARM.exe\RpcThreadPoolThrottle
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1645522239-1935655697-854245398-1003\Installer\UpgradeCodes\68AB67CA000000007706E7A854000000
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\UpgradeCodes\68AB67CA000000007716E7A854000000
  • HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\9.0\Language\current
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1645522239-1935655697-854245398-1003\Installer\Products\68AB67CA7DA73301B7449A0500000010
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\66EDAE6A0000000084E4E7A854000000
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\68AB67CA000000007716E7A854000000
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1645522239-1935655697-854245398-1003\Installer\UpgradeCodes\66EDAE6A0000000084E4E7A854000000
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\UpgradeCodes\66EDAE6A0000000084E4E7A854000000
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA7DA73301B7449A0500000010\InstallProperties
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\68AB67CA00000000ABE7E7A854000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1645522239-1935655697-854245398-1003\Installer\UpgradeCodes\68AB67CA00000000ABE7E7A854000000
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\UpgradeCodes\68AB67CA000000007706E7A854000000
  • HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\68AB67CA000000007706E7A854000000
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\UpgradeCodes\68AB67CA00000000ABE7E7A854000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\9.0\Installer
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\68AB67CA7DA73301B7449A0500000010
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\9.0\AdobeViewer
Registry Key-Deleted
  • HKEY_CURRENT_USER\Software\Adobe\Adobe ARM\1.0\ARM\iNotify
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA7DA73301B7449A0500000010\InstallProperties\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableLUAPatching
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
  • HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Language\current\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\Debug
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA7DA73301B7449A0500000010\Language
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableUserInstalls
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA7DA73301B7449A0500000010\AuthorizedLUAApp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA7DA73301B7449A0500000010\InstallProperties\VersionMajor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA7DA73301B7449A0500000010\InstallProperties\DisplayVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\9.0\AdobeViewer\EULA
  • HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\9.0\Installer\Path
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA7DA73301B7449A0500000010\InstallProperties\VersionMinor
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetConnectDisconnect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisablePatch
  • HKEY_CURRENT_USER\Software\Adobe\Adobe ARM\1.0\ARM\tLastT_Reader
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown\bUpdater

Processes

registry filesystem process services network synchronization

lsass.exe PID: 660, Parent PID: 536

AcroRd32.exe PID: 988, Parent PID: 828

AdobeARM.exe PID: 1488, Parent PID: 988

Volatility

Nothing to display.